CyberWire Daily - Update on supply chain seeding reports. GRU comes in for more criticism. UK prepares cyber retaliatory capability. Power grid resilience. Panda Banker. Google's good and bad news.
Episode Date: October 9, 2018In today's podcast we hear that Bloomberg's report of a Chinese seeding attack on the IT hardware supply chain comes in for skepticism, but Bloomberg stands by—and adds to—its reporting. Everyone ...is seeing Russia's GRU everywhere, and Russia feels aggrieved by the accusations. The UK prepares a retaliatory cyber capability. The US looks to grid security. Cylance describes Panda Banker. Google had a good day in UK courts Monday, but a bad day elsewhere. Justin Harvey from Accenture with thoughts in OSINT reconnaissance. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Bloomberg's report of a Chinese seeding attack on the IT hardware supply chain
comes in for skepticism, but Bloomberg stands by and adds to its reporting.
Everyone is seeing Russia's GRU everywhere, and Russia feels aggrieved by the accusations.
The UK prepares a retaliatory cyber capability, the US looks to grid security,
Cylance describes Panda Banker, and Google had a good day in. courts Monday, but a bad day elsewhere.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 9, 2018.
Bloomberg's report of Chinese hardware seeding attacks on the IT supply chain received more skeptical criticism over the long holiday weekend.
Both Apple and Amazon quickly denied the report as soon as it was published,
and their denials were specific and unambiguous.
On Friday, the UK's National Cyber Security Centre said it had no reason to doubt Apple's and Amazon's assessments.
On Saturday, the US Department of Homeland Security agreed.
They said, quote, Like our partners in the U.K., at this time we have no reason to doubt the statements
from the companies named in the story, end quote.
Bloomberg's story said that the incident was under government investigation,
but DHS and, for that matter, GCHQ each deny investigating the issue. There are of
course other agencies who might investigate. The hardware security expert cited by name in the
Bloomberg story, Joe Fitzpatrick, told the Risky Business podcast that the analysis he provided
was more along the lines of this is what could happen as opposed to this is what did happen.
Fitzpatrick also said that he was uncomfortable with the story as published
and that he told Bloomberg the account of the chips being used as a backdoor
didn't make much sense to him.
And an op-ed in CSO disputes the seeding attack story
on grounds of a priori probability.
Why, asks columnist Robert Grimes,
would Chinese intelligence compromise the hardware supply chain
when it was already enjoying general success
in stealing intellectual property by conventional hacking?
And why would they do so in a way bound to damage
their own manufacturer's solid position in the market?
We can think of several answers.
Poorly coordinated operations,
the competing agency equities and attendant disagreement over tactics that appear in any government,
simply folly or miscalculation, or perhaps the basic animal tendency we all share of enjoying doing things we're capable of doing.
But Grimes' point is worth considering. It does seem like an oddly conceived operation.
For its part, Bloomberg is standing by its story.
Late this morning, they published a follow-on,
including on-the-record statements by experts at Sepio Systems,
a Maryland-based security firm,
to the effect that Sepio had indeed found the Chinese spy chips
and systems belonging to one of Sepio's clients,
a telecommunications company.
Non-disclosure agreements preclude Sepio from saying who that client was,
but they do say they found the hardware implant in a super-micro component.
The spy chip was found in the server's Ethernet connector, they say.
No one would seriously dispute that the kind of supply chain attack
described by Bloomberg would be a nightmare, as the Daily Beast puts it,
but whether the nightmare came true remains an open question. of supply chain attack described by Bloomberg would be a nightmare, as the Daily Beast puts it,
but whether the nightmare came true remains an open question. As Bruce Schneier pointed out in a Marketplace interview, the IT supply chain is probably irreversibly internationalized
and couldn't be made otherwise without costs no one would reasonably be willing to pay.
Germany has joined other nations in attributing widespread cyber attacks
to Russia's GRU, that's APT28, also known as Fancy Bear. Latvia accused the same Russian
agency of hacking its defense and other government networks, and Brazil is voicing concerns about
Russian election influence operations. Russia continues to deny having done anything at all,
and Moscow is calling in the
Netherlands ambassador to demand an explanation of why his government is saying bad things about
the GRU. The GRU officers expelled from the Netherlands last week weren't, says Moscow,
GRU officers at all, even if there were any such thing as the GRU. They were just tourists.
We imagine them as being tulip and
windmill aficionados. The UK continues to be justifiably upset about the Novichok attacks
and Russia's accompanying information campaign about them. But the UK is even more concerned,
and has been for some time, about attacks on its critical infrastructure, especially power distribution systems.
The Times of London and Quartz, among other news services,
report that the UK is preparing a retaliatory capability against Russian cyber attacks.
According to the Times, that capability is being tested in exercises.
According to Quartz, the prospective target of the retaliation is the Russian power grid.
The U.S. Department of Energy is also warning of the possibility of attacks on the grid,
with Secretary Perry suggesting last week that the threats range across the usual spectrum,
from a kid in a parent's basement to a nation-state espionage service.
The department is investing in various R&D projects designed to increase grid resilience.
They mention protecting alternative energy sources like wind turbines,
and there's an evident interest in protecting turbines more generally considered.
Last week's multinational accusations against Russia's GRU included, among many other particulars,
an account of GRU hacking of Pittsburgh-based Westinghouse.
Where reports discussed the Westinghouse intrusion,
they made prominent mention of the company's work on nuclear reactors.
The juxtaposition of cyberattack and nuclear is always scary enough,
but it's worth placing this in the context of cyberthreats to critical infrastructure
and industrial processes more broadly considered.
Phil Nire, VP of Industrial Cybersecurity at CyberX, put it this way to us in an email,
quote,
Almost buried in the indictment is a description of how the GRU hacked Pittsburgh-based Westinghouse,
whose power plant designs are used in about half of the world's nuclear power plants.
One of the motivations for this attack would be to steal sensitive design information about industrial control systems so that Russian threat actors could
further compromise critical infrastructure in the West. This is pretty sobering, especially
when you realize that the GRU is also responsible for unleashing NotPetya on the world,
a destructive worm which has been called the most devastating cyber attack in history.
End quote. Note the point about cyber attack in history, end quote.
Note the point about the threat of preparatory reconnaissance. We tend to think of hacks against industrial firms as having the theft of intellectual property as their goal. That's
certainly been true enough, particularly with respect to Chinese industrial espionage.
But there are other reasons to go after a company's files, and Battlespace Preparation is one of them.
Security firm Cylance today released their study of PandaBanker,
the malware that's targeted bank accounts, credit cards, and web wallets,
mostly in the United States, Canada, and Japan.
It infects systems through API hooking, injecting its scripts into a target webpage in the victim's browser.
Through API hooking, injecting its scripts into a target web page in the victim's browser,
Panda Banker's malware is notable for what Cylance calls heavy code obfuscation and multi-encryption layering.
Upon installation, it checks for both sandboxing and manual analysis,
looking for packet capture programs, debuggers, disassemblers, and similar analytical tools.
If it detects any of these, it exits and deletes itself
from the victim's system. Panda Banker was first observed working against Japanese banks in March
of this year. In August, Silance observed it in action against other Japanese companies.
There's no further attribution beyond the description of the threat actor.
It is regarded as a variant of the familiar Zeus Trojan,
which suggests a criminal gang. As the week opened, Google was the subject of some good news and some bad news. First, the good news. Good for Google. Yesterday in the UK, the High
Court threw out a suit that could have cost Google 3.3 billion pounds. The suit concerned
illegitimate data collection from Apple's Safari browser,
the Safari Workaround, between August 2011 and February 2012.
Google has settled various U.S. claims over the same incident
for a total of $39.5 million.
And the bad news.
Google announced yesterday that it would wind down its social network.
Google Plus had been commercially disappointing. It was also leaky. And the bad news. Google announced yesterday that it would wind down its social network.
Google Plus had been commercially disappointing.
It was also leaky.
The Wall Street Journal reports that Google Plus revealed user data to app developers without users' knowledge.
The journal says Google knew about the API issue in March,
but decided on legal advice that it wasn't strictly speaking obligated to disclose it.
Mountain View feared regulatory scrutiny and reputational damage.
Google has also said it wasn't able to find out enough about what had been or could have been affected by the API mishap to notify anyone,
so individual notifications would have been effectively impossible.
It's as if Sophocles has come to Silicon Valley.
Just as exposing the infant Oedipus on a mountainside
brought about the very disaster it was intended to avert,
so too will legal maneuvering through regulatory loopholes
probably bring about the closure of those loopholes,
tighter regulation, and more public odium.
Well, maybe that's overstating things.
We're not quite sure how far to push the analogy.
But it does seem clear that Google will face increased scrutiny,
and that sentiment for national as opposed to state-level regulation of breach disclosure
and data privacy matters will surge, at least for now.
The demise of Google Plus may also have some implications for the antitrust scrutiny
the social media sector is currently facing.
Do network effects operate so strongly in the sector as to render single large incumbents effectively immune to challenge by competitors?
If Google can't compete in that space, who can?
Thank you. purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, we wanted to talk today about some of the methods that hackers are using
to perform reconnaissance to go through that system and see what's going on.
What can you share with us?
Well, what I can share with you is that the OSINT, the Open Source Intelligence Network,
with you is that the OSINT, the Open Source Intelligence Network, the internet, all of the sources available today are not making it any easier for us as defenders, and it's only making
it easy for the bad guys. Let's just take a few years ago when adversaries could profile companies,
they could take a domain name, they could plug it into a system. They could get not only who registered the domain name, but all the changes of people that have touched that domain information.
They can list all of the hosts within that domain name.
So you can see things like, do they call their email system email?
Or do they call it mail?
Or call it OWA?
Or perhaps they call it outlook.domain.com. And that sort of discovery enables adversaries to then connect and do a port scan across all of those systems.
So let's take, for instance, vpn.domain.com.
They're going to run a port scan versus that host.
They're going to see that there's a commonly known VPN port that's there.
They're going to connect to it. And in some cases, you can actually derive
what VPN software and what version, and then of course run that against things like the National
Vulnerability Database and see if that is vulnerable. But it doesn't stop there. That's
old school. That's the manual way. Today, there's websites like Shodan. And Shodan,
its main purpose is to scan literally every IP address out in the
internet today and to connect up to every one of those hosts and do a port scan and then find the
commonly understood protocols and also do some analysis or some analytics around that to see
what's vulnerable. So if you wanted to see, for instance, for all of the
publicly exposed webcams of this certain overseas vendor between version this and that running on
this port, you could then go to Shodan and get a complete report about that. So it's getting even
easier to profile organizations from a technical level.
Now, what about this notion, I've heard organizations are using misdirection.
So if someone comes in and tries to scan them, they'll see stuff that doesn't tell them the
real story.
So deception-based computing, things like honeypots or displaying false information is certainly a means to throw off and to introduce
a smoke screen to your adversaries. But let's not forget that many companies have to expose
legitimate ports and services to their customers or to their partners. So while that may throw off the scent or mislead or misdirect
potential adversaries, there's still quite a few ports and services that need to be
exposed for an organization in order to do their normal course of business.
Okay, so that's the technical side of things. But what about the human side? What kind of
stuff are they doing to get information on the people?
of things, but what about the human side? What kind of stuff are they doing to get information on the people? Like all of us, when we're upset or we want to contact the leadership of a company,
we can go there, we can look at the About Us, we can look at the contact page, perhaps we can even
look at their board of directors and their C-suite, their pictures. That gets us the name of the
company officers. And even if a company is public and they don't publish that information, you can still get it through SEC filings like their 10K. So that gets you the listing of some
of the top employees in the company. Then it's just a matter of inserting those names into things
like Google, LinkedIn, Facebook, Instagram, Twitter, and you can derive a lot of insight and information.
Let's say that you're profiling the CFO of an organization, and this woman, let's say that
you search for her on Facebook, and there's not a whole lot on Facebook, but she did post that
she and her son ran a 5K in the city that they live in. Well, now you know that this CFO has a son and you know that she's an avid runner.
Then let's go to LinkedIn and let's search on her.
And let's say you actually make a fake profile, which many of our adversaries do.
Let's say it's someone from her alma mater, from her college.
You connect up with her and then you see her personal email address.
Now you have who she is, basically where she lives. She has a son, she's a runner, she ran a race,
you have her personal email address. That's enough to craft a specifically targeted fish to her on
her personal email address. Perhaps it's an attachment, perhaps you wanted to click on a link,
email address. Perhaps it's an attachment. Perhaps you wanted to click on a link and now you've got her. So even in a worst case scenario, let's say that that CFO reads that
email and clicks the link, but she does it from her work computer. Now you've even been able to
compromise someone on the inside. And if they click that phishing link from her personal email
address, now you've also circumvented all of the email security and email controls and you're within her browser.
So adversaries, this is straight out of the book of what most of our adversaries are doing on a day-to-day basis.
Yeah. All right, Justin Harvey, thanks for joining us.
Thank you, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening.
We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.